Steps

Preventing Authorization Policies for Ports

Deploy Aspen Mesh

The first step is to login to the Aspen Mesh dashboard at https://my.aspenmesh.io/. We have already created a temporary account for you. The credentials will be visible in your terminal window.

Task: Deploy Aspen Mesh

To connect Aspen Mesh to the Kubernetes cluster provided, you need to run an installation script. We have downloaded it for you already. You can start it with /opt/install.sh

The script will prompt you for your allocated email address and your chosen password. It will also ask you where to deploy the assets. For now, accept the defaults. The Aspen Mesh installation script will then deploy the required components.

After the script has finished, Istio and the Aspen Mesh Agent will be deployed to the cluster.

View the pods with:

kubectl get pods -n istio-system

Step 1 - Authentication Policies Introduction

Authentication policies are used to define the authentication and mTLS requirements that a workload requires to accept traffic.

Authentication policies can target an entire namespace, a service in that namespace, or a port of that service. Policies for more specific targets override less specific policies.

When two policies have the same target, the behavior is indeterminate; at any time you may observe the behavior specified in one policy or another.

Step 2 - Cause of Conflicts

In this sample, there is a conflict. There are two policies that target the same port (8001) for service svc-1 in the namespace ns-1 . The first policy turns mTLS on for ports 8000 and 8001 while the second policy turns mTLS off for port 8001. The two policies conflict, and you will get unwanted behavior for traffic to port 8001 - sometimes the first policy will apply, and sometimes the second will apply.

In this sample, there are no conflicts. The first policy turns mTLS on for svc-1 in namespace ns-2 , while the second policy turns mTLS off only for port 8000 of the same service. The two policies have overlapping targets due to the scope of the first, but the second policy is more specific so there is no conflict. The second policy will be applied only to svc-1 workloads for port 8000, while the policy without a port listed will remain in effect for all other ports of that service.

Help

Katacoda offerings an Interactive Learning Environment for Developers. This course uses a command line and a pre-configured sandboxed environment for you to use. Below are useful commands when working with the environment.

cd <directory>

Change directory

ls

List directory

echo 'contents' > <file>

Write contents to a file

cat <file>

Output contents of file

Vim

In the case of certain exercises you will be required to edit files or text. The best approach is with Vim. Vim has two different modes, one for entering commands (Command Mode) and the other for entering text (Insert Mode). You need to switch between these two modes based on what you want to do. The basic commands are: